North Korea’s Koryolink: Built for Surveillance and Control

Eavesdropping and network security were the top concerns of the North Korean government in the months before Koryolink, the country’s current mobile network service, was launched in December 2008, according to minutes of a May 28, 2008 meeting in Kuala Lumpur between engineers from the Korea Posts and Telecommunications Co. (KPTC) and Orascom Telecom which have been seen by 38 North.

Despite being a technical-level meeting, the building of sufficient network surveillance capabilities was of such great importance to the regime that even Ri Su Yong (also known as Ri Chol or Ri Tcheul)[1], then the DPRK’s representative to the United Nations in Geneva, was in attendance.

At that time, it was clear that if the regime was going to attempt reintroducing telecommunications technology to the North Korean people, tight controls were needed to ensure it would not be used in subversive ways. Working together with Chinese technology companies, KPTC and Orascom created one of the most restrictive cellular environments in the world.

Background

The Koryolink service represented a grand plan by North Korea to reinvest in cellular technology after an earlier stumble. The country’s first cellular network started in 2002 but was abruptly closed in 2004, one month after a massive explosion hit a railway station in Ryongchon, leveling most of the town and reportedly killing thousands. Kim Jong Il’s train had traveled through the station hours earlier and a rumor spread that it was an assassination attempt triggered by cell phone. No cause was ever announced publicly but the network closed shortly afterwards. Consequently, for the country to attempt another cellular service, security would be of the utmost importance to the North Korean government.

Koryolink was a partnership between KPTC and Orascom Telecom, an Egyptian company that operated in several developing nations. Orascom held 75 percent of Cheo Technology, the company behind the Koryolink brand, with the rest remaining under KPTC ownership. At the time of the Kuala Lumpur meeting, a trial of the Koryolink network involving 50,000 subscribers was already underway but lacked any of the security requirements requested by the North Korean government. That led the minutes to note “the installation of the security system is the most important and urgent task.” Network security features included a comprehensive monitoring system that would allow the authorities to monitor calls and data transmission, as well as a special slice of the network for elites.

North Korea’s two-tier telephone network is well documented and classifies two types of subscribers: Domestic users can call other domestic subscribers but not place international calls or access the internet, while international users can make calls to anywhere in the world except domestic numbers and access just about any website except those on the state intranet. This firewall between domestic and international users is one of several methods used to control the flow of information. What is less known is that on Koryolink there is a third level of subscriber: the “special user.”

Encryption: The Elite Network

The identity of the “special” users isn’t difficult to guess. These users would be able to make and receive calls on specially-equipped handsets that included a domestic encryption system that prevents eavesdropping by outsiders. According to the minutes of the Kuala Lumpur meeting,

“Both sides recognized the importance and urgency of encryption in the mobile communication and agreed that they will work together in this field. Both sides had common agreement that the ordinary people will use the internationally standard mobile phones and special users will use different mobile phones which contain locally-developed encrypted algorithm. KPTC explains the necessity and priority of encrypted mobile phone for special users, and OTH agreed with KPTC.”

The initial requirement was to support 1,000 cell phones, likely representing the top rank of North Korean leadership. The North Korean authorities were apparently unwilling to trust a system developed by a third country and opted instead for a locally-developed encryption system. We can presume this was for fear of backdoors that would allow eavesdroppers to listen in on communications, although internally-developed proprietary systems are not always safer than internationally accepted and audited standards.

To deploy the encryption system, North Korea worked with two Chinese companies. China’s Huawei, one of the world’s biggest telecom infrastructure suppliers, provided much of the network equipment and was tasked with verifying that the encryption system did not introduce instability into the network.

“Huawei shall develop a test procedure to ensure applying the customized encryption algorithms developed by KPTC will have no impact on [Koryolink] network performance.”

Panda International Information Technology Co., a Beijing based tech company, worked on software for the system. Panda already had links with North Korea, having run Achim Panda JV Co., a joint-venture personal computer maker, since 2002. Panda had also been visited by both Kim Il Sung and Kim Jong Il during their visits to China, so was trusted and held in high regard by the North Korean regime.

Eavesdropping

Eavesdropping on communications was not a concern when it came to regular users of the network; however, at the same 2008 meeting in Kuala Lumpur, the two sides discussed the specifications for a legal interception gateway, or “LIG.” Such systems are used in cellular networks worldwide and are usually the means by which law enforcement is able to monitor communications from targeted phones. Initially, the LIG would support up to 2,500 targets with the ability to monitor up to 300 phone calls and 300 data sessions concurrently, according to a presentation document prepared by Huawei. (A second document specified 1,200 targets with concurrent 240 phone and 250 data sessions.)

The monitoring center would support up to 180 users of which 60 operators could be concurrently logged in. Data was to be stored in a 7-terabyte storage system. The phone monitoring system could intercept voice calls, text messages and fax messages while the data monitoring system supported HTTP (web sites), FTP (upload and download of files), MMS messaging and SMTP, POP3 and IMAP4 email protocols.

According to the meeting notes, there were plans to expand the monitoring system as the network expanded. The second stage would increase its reach to 5,000 target subscribers and an additional concurrent 300 phone and data sessions. It would also increase the number of users to 200, with 80 concurrent monitors and the storage capacity to 10 terabytes. In short, the monitoring arrangements covered just about everything a North Korean might be doing over the Koryolink network. As users were shut off from the internet, downloading of encrypted messaging platforms was not possible.

Jamming Systems

The meeting also discussed “the issue of researching and manufacturing of [a] jamming system to prevent the interception by satellite.” This is a curious concern as reception of cellular signals by satellite would be very challenging. Spy satellites are positioned several hundred kilometers in the sky—much farther than the few kilometers a typical cellular base station serves—and they’re traveling very fast, covering several kilometers of the earth per second. Additionally, antennas on base stations usually point slightly downwards, limiting the amount of signal that travels away from the earth; channels are reused putting multiple transmissions across the country on the same radio frequency.

For the system, KPTC provided Orascom with a list of €11.4 million worth of electronics manufacturing and test equipment that would supposedly help North Korean engineers build such a system. It included six Rohde & Schwarz FSP40 spectrum analyzers valued at €180,000 each and three Rohde & Schwarz FSQ26 signal analyzers that cost €230,000 each. The eventual destination within the DPRK of the equipment cannot be ascertained from the documents. But several reports in the following years mention German-made cellular detection equipment being used by the Ministry of State Security to catch North Koreans using Chinese cell phones at the border. It is quite possible the “satellite jamming system” was simply an excuse to get Orascom to provide the gear. Furthermore, the agreement said the number of systems would increase as coverage expanded:

“Both sides agreed that the number of jamming system that prevents interception by satellite should be increased, which is proportional to the expansion of the mobile communication service on nationwide coverage.”

Acquisition and shipping of the equipment were handled by Neweast International Trading Ltd., a Hong Kong-based company that would deliver it to Pyongyang’s Sunan Airport. Neweast was formed in August 2002 and closed down in December 2009. It listed two directors, Han Chol and Ju Ok Hui, who shared an address in Beijing’s Chaoyang District and held US dollar, euro and Hong Kong dollar accounts at the offshore banking unit of the Shanghai Pudong Development Bank.

Conclusion

It is impossible to know how fast these initial agreements were scaled up. The documents seen by 38 North don’t tie to future plans for subscriber growth, but we do know the service expanded rapidly. A year into operation Koryolink had 91,000 subscribers and that rose to 432,000 after two years and to just under a million subscriptions after three years. Today there are estimated to be around 5 million cellular subscribers in North Korea split between Koryolink and Kang Song NET, a government-owned operator. But more cell phones does not necessarily mean more freedom of information and communication. In the years following the launch, even greater security measures were developed to expand control systems beyond the network level to the handset level as well. For instance, smartphones were built to block the installation of unapproved apps, and software was installed to take random screenshots to record what people are doing on their phones. The security system that was born in Kuala Lumpur established one of the most surveilled cellular environments in the world.

Ri Su Yong would go on to be the DPRK’s Foreign Minister (2014-2016) and now leads the International Affairs Department of the Workers’ Party of Korea and serves as Chairman of the Supreme People’s Assembly Diplomatic Committee.